博托问题IAM角色 [英] boto issue with IAM role

问题描述

我想使用AWS最近公布的功能，它可以让安全证书自动获取传递到EC2实例的EC2 IAM角色。 （见<一href="http://aws.amazon.com/about-aws/whats-new/2012/06/11/Announcing-IAM-Roles-for-EC2-instances/">http://aws.amazon.com/about-aws/whats-new/2012/06/11/Announcing-IAM-Roles-for-EC2-instances/).

我已经成立了一个实例与IAM角色描述。我还可以得到（貌似）适当的访问密钥/凭据卷曲。

不过，博托无法做到像get_all_buckets一个简单的通话，即使我已经打开了角色的所有S3权限。

我得到的错误是你所提供的AWS访问密钥ID不存在于我们的记录

然而，在错误中列出的接入密钥相匹配的一个I从卷曲得到

下面是失败的脚本中，带有IAM角色，让所有的S3权限运行在EC2实例：

 进口的urllib2
进口AST
从boto.s3.connection进口S3Connection

resp=urllib2.urlopen('http://169.254.169.254/latest/meta-data/iam/security-credentials/DatabaseApp').read()
RESP = ast.literal_eval（RESP）
打印访问：+ RESP ['AccessKeyId']
打印秘密+ RESP ['SecretAccessKey']
康恩= S3Connection（RESP ['AccessKeyId']，RESP ['SecretAccessKey']）
RS = conn.get_all_buckets（）
 

解决方案

如果您使用的是博托2.5.1或更高版本，它实际上比这要容易得多。宝途会自动寻找在实例元数据为您的凭据，并使用它们，只要没有其他凭据找到环境变量或在博托配置文件。所以，你应该能够简单地做到这一点的EC2实例：

 ＆GT;＆GT;＆GT;进口博托
＆GT;＆GT;＆GT; C = boto.connect_s3（）
＆GT;＆GT;＆GT; RS = c.get_all_buckets（）
 

原因你手动的方法失败是与IAM角色相关联的证书是一个临时会话证书，由一个 access_key ，一个 SECRET_KEY 和 security_token ，你需要提供所有这三个值到 S3Connection 构造。

I'm trying to use AWS' recently announced "IAM roles for EC2" feature, which lets security credentials automatically get delivered to EC2 instances. (see http://aws.amazon.com/about-aws/whats-new/2012/06/11/Announcing-IAM-Roles-for-EC2-instances/).

I've set up an instance with an IAM role as described. I can also get (seemingly) proper access key / credentials with curl.

However, boto fails to do a simple call like "get_all_buckets", even though I've turned on ALL S3 permissions for the role.

The error I get is "The AWS Access Key Id you provided does not exist in our records"

However, the access key listed in the error matches the one I get from curl.

Here is the failing script, run on an EC2 instance with an IAM role attached that gives all S3 permissions:

import urllib2
import ast
from boto.s3.connection import S3Connection

resp=urllib2.urlopen('http://169.254.169.254/latest/meta-data/iam/security-credentials/DatabaseApp').read()
resp=ast.literal_eval(resp)
print "access:" + resp['AccessKeyId']
print "secret:" + resp['SecretAccessKey']
conn = S3Connection(resp['AccessKeyId'], resp['SecretAccessKey'])
rs= conn.get_all_buckets()

解决方案

If you are using boto 2.5.1 or later it's actually much easier than this. Boto will automatically find the credentials in the instance metadata for you and use them as long as no other credentials are found in environment variables or in a boto config file. So, you should be able to simply do this on the EC2 instance:

>>> import boto
>>> c = boto.connect_s3()
>>> rs = c.get_all_buckets()

The reason that your manual approach is failing is that the credentials associated with the IAM Role is a temporary session credential and consists of an access_key, a secret_key and a security_token and you need to supply all three of those values to the S3Connection constructor.

这篇关于博托问题IAM角色的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！